Security

The folks who run Amazon's EC2 cloud service must be happy the week is nearly over.

The cloud-based EC2 (Elastic Compute Cloud) was kept jumping this past week by two incidents: a compromised internal service that triggered a botnet, and a data center power failure in Virginia.

On Wednesday, security researchers for CA found that a variant of the infamous password-stealing Zeus banking Trojan had infected client computers after hackers were able to compromise a site on EC2 and use it as their own C&C (command and control) operation.

Don DeBolt, Director of Threat Research for CA Internet Security Business Unit, told CNET that the botnet first came to light while his firm was reviewing spam and found one with a URL for a piece of malware called xmas2.exe, described in a blog. After examining the file, DeBolt discovered it was a variant of the Zeus bot that was calling home to a computer inside Amazon Web Services, which houses EC2.

As a keylogger, Zeus is known to specifically capture bank account information, noted DeBolt, and was trying to perform the same crime in this case. The bot was also attempting to report the IP addresses of any clients that were infected via spam. The cybercrooks reportedly snuck their way into EC2 by gaining access through a site hosted on Amazon's service.

Once the bot was discovered, DeBolt and his team contacted Amazon to provide all the information from their client-based analysis. Since then, the files that were serving up the botnet on Amazon's side are no longer active.

Updated 3:15 p.m. PDT April 14 with Amazon saying the problem has been fixed and 2:15 p.m. with insider saying it was manual error by Amazon worker in France and 9:45 a.m. with background on Weev and comment from sources who say he is most likely not involved in the Amazon incident.

Amazon got blasted by gay rights groups this weekend after gay and lesbian book titles were delisted from its site. Was it an internal glitch, as Amazon claims, or is an Internet troll with a vendetta responsible?

Amazon spokeswoman Patty Smith told CNET News on Monday that the "glitch" was being fixed, but declined to elaborate. (By Tuesday afternoon the problem was all fixed, she said.)

"This is an embarrassing and ham-fisted cataloging error for a company that prides itself on offering complete selection," she wrote in an e-mail statement.

"It has been misreported that the issue was limited to Gay and Lesbian themed titles--in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind and Body, Reproductive and Sexual Medicine, and Erotica," the statement said. "This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon's main product search."

However, a Live Journal blogger with the alias of "weev" claims he did it to cause an outrage among the gay community, which he alleges has repeatedly flagged his online ads on Craigslist as inappropriate.

"I guess my game is up! Here's a nice piece I like to call 'how to cause moral outrage from the entire Internet in ten lines of code,'" he writes on his blog.

Weev said he figured out that he could easily get the books removed from search rankings by reporting them as inappropriate through a link at the bottom of the book page. He also claims he wrote code to identify all the gay and lesbian metadata-tagged books on Amazon and grab their IDs. He then hired people outside the U.S. to register new accounts en masse to help push the books out of the system, he said.

"Now from here it was a matter of getting a lot of people to vote for the books," he wrote. "The thing about the adult reporting function of Amazon was that it was vulnerable to something called 'cross-site request forgery.' This means if I referred someone to the URL of the successful complaint, it would resister as a complaint if they were logged in. So now it is a numbers game."

Amazon's Smith dismissed the claim and insisted the error was internal. She is not alone. Several sources have questioned Weev's account, particularly given his notoriety as an Internet troll, someone who flames others in online discussions and is intentionally disruptive on the Web.

Blogger Mike Daisey, who worked in customer support and business development at Amazon from 1998 until 2001, wrote on his blog that: "Someone was editing the category systems inside of Amazon.fr, made an error, and that system is global, so it propagated everywhere. I have no insight as to anyone's nationality, or whether it was a language gap, or anything of that nature."

Smith declined to comment on Daisey's explanation.

A Seattle Post-Intelligencer article quotes an unnamed Amazon employee who confirmed the report of manual error. "Amazon managers found that an employee who happened to work in France had filled out a field incorrectly and more than 50,000 items got flipped over to be flagged as 'adult,'" the source told the newspaper.

Blogger Bryant Durrell said he tested out Weev's concept and doesn't believe it is legitimate, partly because of buggy code.

"Summation: nope, you didn't do that, you liar you. Nice meta-troll, though," Durrell wrote on his blog.

"The really interesting thing about the troll is that he's right even if he didn't do it. The vulnerability he describes exists anywhere you make automated decisions based on third-party input."

Among the more than 1,500 products on Amazon that have been tagged "amazonfail" are "Lady Chatterley's Lover" and "Brokeback Mountain."

(Credit: Amazon)

To critics, cloud computing can't be trusted because you aren't in control of the data outside your network.

But if that's the case, then how secure are the data and collocation centers that corporations contract with to host their data?

"It does come down to vetting the practices of the provider and making sure they meet the standards you want for your business," Phil Hochmuth, a senior analyst at Yankee Group, said Monday, the eve of Cloud Computing Innovation Day in Santa Clara, Calif.

Companies like Salesforce.com, Amazon.com, and Google have built businesses around serving up on-demand services to enterprises that would rather pay a service provider than buy hardware and hire staff to manage their databases. However, handing over the data is still a cause for concern among many corporations.

"What are they doing to the data? Is it persistently encrypted? Are there access controls in place? Do you get to monitor who they hire and who cleans the data centers at night?" said Phil Dunkelberger, chief executive of PGP Corp. in relaying the concerns on peoples' minds about cloud computing.

How secure is the data? "It's one of the first questions we get, especially from enterprises," said Adam Selipsky, vice president of product management and developer relations for Amazon Web Services.

Securing the data is key to a cloud service provider's business, Selipsky said. "We can afford to devote resources to it that, quite frankly, most of our customers can't," he added.

"Cloud computing can be as secure, if not more secure, than the traditional environment," said Eran Feigenbaum, director of security for Google Apps. "Most organizations really struggle, whether they want to admit it or not, securing their networks."

Feigenbaum points to data breaches that hit the headlines, such as the one that exposed credit card information held by payment processor Heartland recently.

Then there are the statistics that show that one-third of breaches result from stolen or lost laptops and other devices and from employees accidentally exposing data on the Internet, with nearly 16 percent due to insider theft.

"Cloud computing can fix some of these issues," Feigenbaum said.

Not only can Google apply patches more quickly than most enterprises to plug holes in software, but the Google Apps Premier edition offers the ability to protect data in transit by encrypting it in the pipe between Google and the user's desktop, as well as offer control over who can access the data, he said.

Cloud service providers are held to high standards, must offer evidence of security certifications, and are subject to inspections by auditors, placing them under much higher scrutiny than typical in-house security teams, according to Peter Coffee, director of platform research at Salesforce.com.

Most data theft results from someone authorized to access the data doing so improperly or handling the data carelessly, he said. With cloud-based services, when a user logs out, the browser cache can be set to flush automatically, leaving nothing on the desktop to be lost or stolen, and logs can show who did what to which data, he added.

"This is inherently safer than the typical client-server model of downloading data that remains on the end-user device, and is far more secure than distributing data as e-mail attachments whose subsequent use and transmittal are largely uncontrolled," Coffee wrote in an e-mail reply to questions.

The security concern with cloud computing is a cultural issue, said Rebecca Wettemann, a vice president at Nucleus Research.

"The question is would I rather be at a huge data center where a vendor is contractually required to keep my data secure or would I rather rely on my staff to do it properly?" Wettemann said. "You need to trust that your vendor will manage your data."

So far, there haven't been any significant security breaches with an on-demand services vendor, she said. And people are getting used to the idea of being able to access their data anytime and from anywhere because it is out on the Internet, she added.

There have also been precursors to cloud computing that people are familiar with, such as the evolution of answering machines to voice mail services, said Peter Evans, director of security strategy and technology integration at IBM Security Systems.

"It is as much an emotional thing as anything," Evans said. "When my data is on my server in my building, there is a good gut feeling about that. When it's out in the ether, how do I know it's protected?"

SAN FRANCISCO--The media are responsible, in part, for the lack of greater adoption of mobile payment systems in the United States, a panel of payment leaders said here Thursday at the fall 2008 CTIA.

"I think the media, because they don't understand the technology, and consumers, because they don't understand the technology, have created a hysteria around this," said Barry McCarthy, president of Mobile Solutions for First Data. "I think it's entirely unfounded."

Contactless payment systems use near field communication (NFC), an extension of the ISO 14443 proximity-card standard that allows mobile devices to use short-range high-frequency wireless communication between devices. A consumer might, for example, hold an NFC-enabled mobile device near an NFC-enabled point of sale (POS) to wirelessly debit a person's bank account to complete a sales transaction. Or a person might hold an NFC-enabled mobile device near a smart tag embedded in a poster to gain additional information about a product or a service.

In SouthEast Asia and Europe, mobile devices are already being used as electronic wallets. Adoption of mobile payments in the United States has so far been hampered, other members of panel agreed, by a lack of retail adoption. They did, however, cite increasing use with public transit systems and within Quick Service Restaurants.

"I don't think it's necessarily about people being concerned about security as it is understanding just exactly what it is, how it works, and the security that is present there," McCarthy said. "(Security is) an excuse that a merchant might throw out" not to adopt contactless POS equipment today.

James Anderson, a vice president at MasterCard Worldwide, said his company had surveyed consumers on this topic for a few years and found that the security of the new contactless cards was not an issue with consumers in part because of the brand associated with the card, what he called the "brand promise." Anderson said any controversy around security is just "our good friends in the media needing things to write about."

Spencer White, director of Mobile Financial Services for AT&T, argued that NFC was more secure than magnetic stripe cards. He said handling the physical credit card can expose the account number, but mobile NFC exchanges can be secured with one-time token exchanges or PIN codes. "We believe that we can demonstrate, that we can communicate quite effectively that mobile is a more secure solution in general," White said.

White cited two recent test cases in which AT&T equipped customers with NFC-payment-system-enabled mobile phones, and after a short expose they tended to feel more secure by using it. "Mobile has a great story to tell around security, but it's a story that has to be told. It's not intuitive," White said.

Howard Gefen, director of External Payment Services for Amazon.com, agreed. "There's a lot of uncertainty around a new payment system. Customers don't always know what's going to happen so they focus on the unknown, and security is an easy one to go wrong," he said. Gefen said that Amazon's mobile service includes the ability to get callbacks as confirmation, but that after a few purchases, most consumers were confident enough to start turning off that feature.

The panelists agreed that the brand promise would be the primary driving force. For example, knowing that MasterCard, AT&T, and Amazon all guaranteed the user's purchase would be secure tended to win over reluctant customers in the end.